Businesses are responsible for the security of their data, even when it is held on cloud providers’ infrastructure, says ICO

The Information Commissioner’s Office (ICO) has issued guidance on cloud computing, warning that businesses need to remember that under British law they are responsible for whatever happens to their data.

The guidance includes advice on seeking assurances on data security in the cloud and assessing the physical security of cloud vendors’ data centres. It also recommends ensuring companies secure proper service level agreements (SLAs) from providers.

“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility,” said Dr Simon Rice, ICO technology policy advisor.

Don’t be naïve

“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws.

“Figures show that consumers are concerned about how secure their data is when they use cloud storage themselves. It takes little imagination to consider that businesses not reflecting those concerns will quickly find themselves losing customers’ good will.”

The ICO has severely punished a number of firms for not taking care of data when outsourcing operations. The Scottish Borders Council was handed a £250,000 fine after the ICO said it had failed to properly manage a company it had employed to digitise pension records. The council is considering an appeal, however.

One advantage of using a proper cloud provider is that the clustered storage systems do not have any readable information on an individual disk because of the way the data is stripped across machines and disks.

Which means that even if their accredited secure disposal fails to wipe disks properly. It will not be possible to recover the data with out the rest of the disk set which will be spread over multiple machines and arrays.

PS This has happened a number of years ago on a much larger scale and the provider had to buy and trace all the disks through ebay to recover them.